chore(deps): migrate from Dependabot to Renovate#760
Open
cailmdaley wants to merge 1 commit into
Open
Conversation
Replace Dependabot with Renovate to end the per-PR merge toil. Renovate gives a single Dependency Dashboard issue plus branch automerge: routine uv.lock updates land silently on green CI with no PR, while majors and pyproject-floor changes stay human-gated. Supply-chain posture carried over from dependabot.yml and sharpened: - rangeStrategy update-lockfile — routine updates touch only uv.lock, never the abstract pyproject floors (the old "floor bumps need sign-off" rule, now structural). - 14-day cooldown (30 for majors), as before; OSV alerts add malicious-package detection on top. - CVE fixes get a short 3-day window then automerge on green CI. - GitHub Actions stay SHA-pinned (helpers:pinGitHubActionDigests). Activation needs one org-admin step (install the Renovate app); see the PR description. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Dependabot's only noise lever is grouping, and its security channel bypasses even that — so a same-day burst of advisories arrives as N separate PRs that a human merges by hand (four landed 2026-06-20). That's not how repos at this scale manage a lockfile.
Renovate replaces it with a single Dependency Dashboard issue plus branch automerge: routine
uv.lockupdates land silently on green CI with no PR at all; only things that need a human decision (majors, dependency floors) ever surface.What's in
.github/renovate.json5pyprojectfloorsrangeStrategy: update-lockfilemeans routine updates only ever changeuv.lock, never the abstract floorsdependabot.ymlhelpers:pinGitHubActionDigests)ngmix[tool.uv.sources]Config validated with
renovate-config-validator(passes clean). This PR also removes.github/dependabot.yml.Activation — one org-admin step (⚠️ needs an admin, not just write access)
Renovate doesn't run until its runner is set up. Recommended cutover order:
dependabot.yml, adds the Renovate config).CosmoStat/shapepipe: https://github.com/apps/renovate → Configure → select the repo. Free for public repos; runs as its own identity so CI triggers correctly. (Renovate finds the committed config and skips onboarding.)Alternative to step 2 if the org would rather not install a third-party app: a self-hosted
renovatebot/github-actionon a cron with a token secret. I can add that workflow instead — say the word. (It needs an admin to add the secret either way.)— Claude on behalf of Cail
🤖 Generated with Claude Code